Iptables for Debian

From Wiki
Jump to: navigation, search

iptables (IPv4)

Create the ruleset:

# iptables -A INPUT -i lo -j ACCEPT 
# iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
# iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
# iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
# iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
# iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
# iptables -A INPUT -j DROP 

This is a very basic ruleset which blocks all incoming connections with the exception of SSH and DNS. ICMP 'echo request' and 'fragmentation needed' are also allowed. You do not have to allow 'echo request' but you are strongly advised to keep 'fragmentation needed' so that MTU path discovery will work!

Once happy with the ruleset, save it:

# iptables-save > /etc/iptables.rules

The rules can now be applied at any time by running:

# iptables-restore < /etc/iptables.rules

A good time to do this would be when bringing up the network interfaces at boot time. Edit /etc/network/interfaces and add a line like so:

iface eth0 inet static
        address 12.34.56.78
        netmask 255.255.255.0
        gateway 12.34.56.1
	pre-up iptables-restore < /etc/iptables.rules

You can view the current state of iptables with:

# iptables -L -v -n

ip6tables (IPv6)

The process is identical for IPv6, but we use ip6tables instead:

# ip6tables -A INPUT -i lo -j ACCEPT 
# ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
# ip6tables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
# ip6tables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT 
# ip6tables -A INPUT -p udp -m udp --dport 53 -j ACCEPT 
# ip6tables -A INPUT -p ipv6-icmp -j ACCEPT 
# ip6tables -A INPUT -j DROP 

Once happy with the ruleset, save it:

# ip6tables-save > /etc/ip6tables.rules

The rules can now be applied at any time by running:

# ip6tables-restore < /etc/ip6tables.rules

Once again, the configuration can be applied at boot time in /etc/network/interfaces like this:

iface eth0 inet6 static
    address 2001:123:12:34::abc:de
    netmask 64
    gateway 2001:123:12:34::1
    pre-up ip6tables-restore < /etc/ip6tables.rules


You can view the current state of ip6tables with:

# ip6tables -L -v -n